Answers / Risk & Compliance

Explain the COSO ERM framework.

A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.

THE SHORT ANSWER

COSO ERM (the 2017 'Enterprise Risk Management — Integrating with Strategy and Performance') frames risk management not as a standalone compliance exercise but as integral to setting and executing strategy and driving performance. It has five interrelated components: Governance & Culture (board oversight, operating structure, ethical values); Strategy & Objective-Setting (analyzing business context, defining risk appetite, evaluating alternative strategies); Performance (identifying, assessing, prioritizing risks and selecting responses in pursuit of objectives); Review & Revision (assessing how the ERM is working and improving it); and Information, Communication & Reporting. Underpinning these are around twenty principles. The key 2017 shift from the older cube was linking ERM explicitly to strategy — recognizing that the biggest risk is often choosing the wrong strategy — and putting risk appetite at the center of decision-making, rather than treating ERM as a back-office risk-list exercise.

WHAT INTERVIEWERS LISTEN FOR

  • 2017 ERM integrates risk with strategy and performance (not compliance silo)
  • Five components: Governance & Culture; Strategy & Objective-Setting; Performance; Review & Revision; Information, Communication & Reporting
  • ~20 underlying principles
  • Key shift: link to strategy, risk appetite central

COMMON MISTAKES

  • Describing ERM as a standalone risk list
  • Not knowing the five components
  • Missing the strategy-integration shift

Reading isn't the same as answering under pressure.

Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.

TRY QUICKFIRE →Or train full Risk & Compliance case simulations →

RELATED QUESTIONS